The secondary setup instance is the only way. The proxy setup would require you to open paths that are restricted by the existing firewall effectively exposing the internal/restricted system to a possible

you need to install a nagios instance on the proxy server that will monitor them and report back to the main one.
For clarity: Presumably opening firewall routes/paths to allow main nagios to query/access these systems is out of the question.

The secondary setup instance is the only way. The proxy setup would require you to open paths that are restricted by the existing firewall effectively exposing the internal/restricted system to a possible mistake.
Since you are planing on using the existing proxy (presumably reverse proxy) that is currently being accessed .........

The two instances let you test external (from the main) while testing internal portions using the second internal instance.

This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg).
If you're looking for how to monitor bandwidth using netflow or packet s…